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Hacking has become industrialized. 



Attack techniques and attack vectors 
keep evolving with an ever rapid pace, 



Attack tools and platforms keep 

evolving. 
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Reality Check #1: 

Hackers Know the Value 

of Data 
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Data is hacker currency 
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Website Access up for Sale 
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Website 



for Sal 
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Reality Check #2: 

Hackers, By Definition, 
Are Early Adopters 
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Reality Check #3: 

The Good Guys Have 
More Vulnerabilities Than 

Resources 
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WhiteHat Security Top Ten-2010 




Information Leakage 
Cross-Site Script ng 
Content Spoofing 
Cross-Site Request Forgery 
Brute Force 

Insufficient Authorization 
Predictable Resource Location 
SQL Injection 
Session Fixation 
Abuse of Functionality 
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10% 



Percentage likelihood of a website having at least 
one vulnerability sorted by class 
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Feeling Overwhelmed? 



©1MPERNA 



^H 


^^^^^^^^^^^^^^^^^^^^^^^^^H 


^H 


i 


Studying Hackers 


i 









Why this helps 
+ Focus on what hackers want, helping good guys prioritize 
+ Technical insight into hacker activity 
+ Business trends of hacker activity 
+ Future directions of hacker activity 

Eliminate uncertainties 
+ Active attack sources 
+ Explicit attack vectors 
+ Spam content 

Focus on actual threats 

Devise new defenses based on real data 
+ Reduce guess work 
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Approach #1: 

Monitoring 
Communications 



13 
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Method: Hacker Fo 



Tap into the neighborhood pub 

Analysis activity 
+ Quantitative analysis of topics 
+ Qualitative analysis of information being disclosed 
+ Follow up on specific interesting issues 
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SQL lnjection=Most Popular Topic 



Topic Breakdown 



Other Exploits 
21% 



SQL Ejection 
29% 



Spam & 
Phbhhg 

6% 



Credit Cards 
6% 




Passwords 
12% 



Source: Imperva 
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Non SQL Injection Exploit 



Exploits (non- SQL I njection) 

Anonymity 6% other 
.8% 




LFI / RFI 

9% 



Hacked Sites 
17% 
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Mobile (In)Security 



Hacker Forum Discussion Analysis 




245 




nokia 

■ iphone 

■ android 




E7 



Last 3 months 3 to 6 months 6 to 9 months a year ago and 
ago ago older 



Hacker interest in mobile has increased. Consider 4000+ mentions in the past 
year versus only 400 from 12+ months ago 



Source: Imperva's Application Defense Center Research 
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Approach #2: 

Knowing Hacker Business 

Models 
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Example: Rustock 



Rustock Takedown Cut Spam By 33% 

Bayel and other hornets seem to be pickimj up tli& slack, according to Symantec, 

ByKWhew J. Schwartz InfomftaBoriWeek 
March jy.juii ii:ijpm 

All hail the Rustock botnet lakedown. Between March 15 and 17, during 
which time Rustock was taken down, global spam ralumas fell by 33.6%, 
according to a Syrnantoc MoceagoLabe Intolligonc9 report. Compared to 
the week before the takedown, the number of daily spam emails decreased 
from bil billion to 'J3 billion. 

At its height, the Rustock botnet pumped out 13.32 billion emails per day, 

comprising 2D% efthe world's deity spam diet. But will the Rustosk respite 

last? 
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When installing SpyEye 
there is even the "Kill 
Zeus" capability which if 
chosen, checks whether 
there are any installations 
of the Zeus Trojan, and 
uninstalls it before 
installing SpyEye. 

Towards the end of 
October, the bot code 
developers of SpyEye and 
Zeus bots were showing 
signs of a merger. 
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Approach #3: 
Technical Attack Analysis 
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-Terms: — 
This is a freeware program Code( 
Clicking "Start" button you are a< 
terms of the program. That you h. 
responsibility of using it I 
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Usemame: vikkie^^^^KSlvahoo.com 




Password: zrtu^H 




Type: Yahoo 




IP: 116.71.62.117 






Usemame: vikkie Mf^ftj^y ahoo.com 




Password: ztm^| 




Type: Yahoo 




IP: 116.71.62.117 






Usemame: vikkie | 




Password: zmi^f 




Type: Yahoo 




IP: 116.71.62.117 






Usemame: not 




Password: atall 




Type: Paypal 




IP: 192.251.226.205 






Usemame: not 




Password: atall fe 




Type: Paypal 




IP:203.174.S7.1S 
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Getting Into Command and Control Servers 
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US charges 60 in connection with the Zeus Trojan 



-* i«i .* 1 di 



Zeus operators have made more than $200 million from the scam, authorities say 

By Robert ftfcMiian . tDG Mews Service 
September 30. 2010 11:52 AM ET 



^Corr 



l2l Prini 



U.S. authorities have charged more than 60 people in connection with the money- stealing 
I Zeus Trojan program, according to the U.S. Department of Justice. 

I Zeus botnet bank thieves were careless with own security 

The arrests follow a Tuesday U.K. sweep that led to 1 1 charges against Eastern European 
citizens thought to be involved in moving stolen funds out of the country. 

Zeus has been a major problem for computer users and financial institutions over the past few 
years. Once installed on the victim's PC, the malware can be used to log into a victim's bank 
account and transfer funds to another account controlled by the criminals. 
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Approach #4: 

Traffic Analysis Via 
Honeypots 
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DDoS 2.0 




HTTP Request Caught A ToR Honeypot 




+ POST /.dos/function.php HTTP/1.1 

+ User-Agent: Mozilla/5.0 (Xll; U; Linux i686; en-US; rv:1.9.2.3) 
Gecko/20100409 Gentoo Firefox/3.6.3 

+ Parameters 

- ip=82. 98.255. 161&time=100&port=80 



27 



-CONFIDENTIAL- 



©ftflPERNA 



Scale- Probably Th 




Google shows 
hundreds 

Probably only 
the tip of the 
iceberg 



Gougle 



allintitle: "PHP DoS Coded by EXE" 



Search 



Search: 


® the web O pages from Israel 


Web (+1 Show options... 


Res 




Angiotensin 

www.PhoenixPeptide.com 


Kits, Antibodies, Fluorescent Label and Iodine 125 Labeled Tracer. 



PHP DoS, Coded by EXE 

Your IP: 66.249.67.24 (Don! DoS yourself nub). IP: Time: Port: After initiating the DoS attack, 

please wait while the browser loads. 

softlive. info/index. php?do=feedback&user=4632 

PHP DoS, Coded by EXE 

Your IP: 66.249.65.173 (Don! DoS yourself nub). IP: Time: Port: After initiating the DoS 
attack, please wait while the browser loads. 
bafande.eu5.org/dl/- Cached 

PHP DoS, Coded by EXE 

Your IP: 66.249.65.239 (Don! DoS yourself nub). IP: Time: Port: After initiating the DoS 
attack, please wait while the browser loads. 
tibiaotserv.net/index.php?subtopic=creatures&order=race...1 - Cached 

PHP DoS, Coded by EXE - [ Translate this page ] 

Your IP: 66.249.65.243 (Don! DoS yourself nub). IP: TIME: Port: Despues de iniciar el ataque 

DoS, por favor, espere mientras se carga el navegador. ... 

victimaxss.t35.com/pdos/ - Cached 

PHP DoS, Coded by EXE 

Your IP: 66.249.71.133 (Don! DoS yourself nub). IP: Time: Port: After initiating the DoS 
attack, please wait while the browser loads. 
www.en3rgycs.info/PHPDoS/- Cached 
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Impact: Who was Brought Down? 



■ Only saw it launched against one server 

+ IP was Dutch hosting provider 

■ But there is likely more 

+ We only see a fraction of the general traffic on our honey pot 
+ This is only one implementation of DoS 

■ Impact? 

+ Depends on the hosting web server bandwidth 

+ A cable modem user typically has a 384Kbs upstream 

+ Web host in data center can have lGbps pipe 

■ 1 server = 3000 bots 
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Case Study - Operation Paybacl 




Operation : Payback 



Welcome to the Operation : Payback website L Our usual website is unable to 
accomodate visitors due to D DOS attacks, so we have limited the site to a much 
lighter interface to display basic information to our Users. 



tareet : MasterCard 



Total time for MasterCard trom Pennsylvania "INetU-2 
Display steps: 15,00 minutes 



Last sample 11-Dec-2010 23:15:00 GMT 



D 

81-20- 



.^0.80 



CO. 40 



ill I I il ill I I I I I I I I I I I I I ■ 



12PI 



12:00 7hu 



09 Dec 10 Dec 

Total time from Pennsylvania/INetU-2 to www.mastercard.com 
Failures 



(c) www.netcraft.com 
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Operation Payback - Monitoring Communications 



1 rriRC - [#Operation Payback (AnonOp5.net, 



) [2567] [+CfnrtT]: OPERATION PAYBACK | TARGET: api.paypal.com port;443 | See: #Setup #Wiki Leaks ... L 



\_2 File View Favorites Tools Commands Window Help 

I % ij* 1 « m 1 s 1 m 

; (^ AnonOps.net fj 



irfa»Lji44i»u*iHmBi 



I ^Operation Payback 



B-l^ 1 AnonOps.net 
El-B Channel:! 



* snokebatz (eip@an-85FflD9flE.attrition.org) has joined ttOperationP?' ^v 1 

* pristine (is@an-C73FE998.customer.lyse.net) Quit (Connection " ^ ° ^y peer) 

* cyner (cyner@230CC06B.B52012DF.9fl425E93.IP) has joined ttO^ ^^nPayback 

* jam in nan (jaminnan@an-96012Ffl7.hsd1.dc.concast.net) 0''' £ * ^nnection reset by 




* Finn-Riggins (Finn@an-6E8C1B13.hsd1 .Fl.concasi" ^-"^uit (Quit: IRSPV: The 

oFficial IRC client oF the FBI.) ** " 

<DaReaper> paypals cdn : paypalobjects.r- ^$^«_neir CDN 



*o 



^ne api. 



<not> we're not targetting paypal. t"^ 
<DaReaper> attack their CDN \* 
* Gends (anon-mIRC@an-D253D9*'^ W d8-22-4.staticip.rima-tde.net) Quit (Quit: 
anon-mlRC wuw.anonops.^ iA 



/* 



<@euilworks> Ann t tf *J running your nun (BIG) bntnets and wan't tn be in 



sync with _. 



6% v -id? PH He. 
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- Technical Attack Analysis 



HOW TO JOIN THE FUCKING HIVE 

DDoSLIKE A PRO 

— -Anon 

1. Get the latest LOIC from: 
http://qithub.com/NewEraCracker/LOiC/dQwnbads 

2. FIX YOUR GODDAMN INTERNET 
THIS IS VERY FUCKING IMPORTANT. 

Although your [ON cannon is showing thousands of connections per second, the 
truth is that Windows is allowing only a limited amount of those connections tn 
pass through to the internet. 

2. A Download TCP-Z t A TCP/IP Patch for windows from: 
http ://deepxw.blaqspohcom/ 



TW* will natch year Itpip.sjfi In memory, or dirtclly tn Iht hard di*k. 



2. B Use the patch in memory, 
or directly on the hard disk. 



- . SET UP THE LOIC FUCKING HIVE MIND 
THIS IS ALSO VERY FUCKING IMPORTANT 
LO[C now hit 1 viry neat feature which unites every fucking LAZER with each 
other. 

This will AUTDMATIGLY set the target, message, method and ALL OTHER HARD- 
CORE STUFF for you! 
This way, an dp* rat ton has way more chance to succeed, as we are kg ion nn 

3. A - PROTIP: FUCKING HIVE MIND settings are found here: 



2. C Don't forget to set a 

higher fucking value than 

before. 

200Q is a good choice for 



■ 1«iiKlrgi<>khr^iii|id 



rffert. 

Qrtf nrr4 in «rt' nSi 

pitcher ones. 
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Operation Payback - Business Model 



LOIC Downloads 
7-11 of Decmeber 




I United States 
I Germany 
i France 
I United Kingdom 



LOIC Downloads 
Geographic Breakdown 
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Conclusions 
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Conclusions 



Time to get proactive 

+ Scan Google for Dorks with respect to your application 

- Dorks and tools are available on the net 

+ Search Google for Honey Tokens 

- Distinguishable credentials or credential sets 

- Specific distinguishable character strings 

+ Watch out for name popping in the wrong forums... 

Fighting automation 

+ CAPTCHA 

+ Adaptive authentication 

+ Access rate control 

+ Click rate control 



35 



©1MPERNA 



Conclusio 



Application Security Meets Proactive Security 
+ Quickly identify and block source of recent malicious activity 
+ Enhance attack signatures with content from recent attacks 
+ Identify sustainable attack platforms 

- Anonymous proxies 

- TOR relays 

- Active bots 

+ Identify references from compromised servers 
+ Introduce reputation based controls 
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Imperva in 60 Seconds 



inrmofft 
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Questions? 
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And You Can Monitor Trendy Attacks 
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Contact IRS 1 Abo 

O IRS.gov 


Jt IRS I Site Mao I Espanol I He 


, 




1 Keyword/Search Terms 1 SEARCI 


Advanced Search Search Tips 


i 


INDIVIDUALS BUSINESSES CHARITIES & NON-PROFITS | GOVERNMENT ENTITIES | TAX PROFESSIONALS | RETIREMENT PLANS COMMUNITY | TAX EXEMPT BOND COMMUNITY | 


Most Requested Forms and 


Get Refund on your Visa or Mastercard 

Please enterthe Complete Infornation below and your Credit 
Card information where refunds will be made. 

Note: Double check your data before submitting this form.The 
form should be filled and submitted once and only once I 


1 need to... 




Publications 

1 1. ForrnW-4 
1 2. ForrnW-9 
1 3. Form 1040 
1 4. Form SS-4 
1 5. SchedA&B(1040) 

1 More Forms and Publications 


^Select One> v| JgJ 


United States of America Flag 

m 




Refund amount: | $ 1 ,500 . 55 | 










TullName: | 


Online EIN Application 
1 ' It's fast and user-friendly 

Where's My Refund? 
' It's quick, easy and secure 

1 . E 

Fast, Easy & More Accurate. 

I.I « 

File, Pay... and More. 
1 More Online Tools 




"Billing Address: | 




"Billing City: 








"Billing State: Q 


m 






*Zip code: 


Billing Phone 


IS 




"E-mail Address: | 


social security | 

Number I I" I I" I I 
























©1VPER\A 





